Today identity theft is a very real threat that we face. There are many unprotected pieces of information that can be used to identify oneself that have little or no internal protection. The worst thing is that we are not in control over our own data. Once we have given information to a third party like an insurance company, a bank, or utility company we have little or no control over what happens to this information. We are not able to say he Mr. Blue Cross I want to terminate my service with you because I don’t think you secure my information properly. Sure you can cancel your service with the company, but what happens to your data?
Recently I opened a checking account with a bank. I was surprised when I was told I was done. I’m used to having to sign a digital pad with my signature which I was always told was used for verification purposes. I inquired, “Don’t you need my signature to use for verification”, she responds “No, checks are no longer verified with their signature”. That is the last straw, I might as well just take put my checking account information on a billboard to make it easier for my hard earned funds to be stolen!
I used to have the mindset that if a check was lost or stolen but not stolen I was somewhat protected since the check had to be signed. I knew several years ago even this thinking was a farce. All you need is an ACH account and my routing number and account number and that’s all. Who came up with this system? Were they all trusting and assumed that no checks or account would every be compromised? The financial and private information systems in our country (and likely internationally) needs to be updated to handle real threats that we may encounter daily!
It sickens me that my emails has two factor authentication, is better protected than my bank account! I am hearing about companies on a frequent basis being compromised and credit card information being stolen as well as other sensitive data. This is ridiculous, are you expecting me to believe that in our huge government there isn’t some sort of organization or committee that is supposed to making sure that companies that store this sort of information actually do what is necessary to protect their data? Stupid me that made that assumption. Unfortunately, I don’t have a choice. Unless I want to be Amish or completely off the grid some organizations are going to have my sensitive information that may be compromised at any moment.
Something needs to be done…now!
Let’s start with the biggest security hole I know of, the social security number. Since 1935 the nine digit number was used to identify American citizens with their social security accounts. For some reason this became the defacto primary means of identification for US citizens. You just rattled of your nine digits to companies and you were who you said you were. For verification purposes companies usually only ask for your last four of your SSID but they sometimes ask for the entire number as well. Since the SSID was created only as a means of identifying yourself for your social security account it probably wasn’t intended for such widespread usage as we see today. There isn’t any other security standard that remains unchanged after almost eighty years.
Pretend for a moment that we have just been tasks with designing a system for American citizens to use as universal identifier that is a common format and something that most of the population uses. What would that system look like? Let’s design something right now.
One thing that is nice about the SSID is that it is only nine digits long and fairly easy to remember. Today where we have a much larger population we would probably want to use a longer sequence and expands the key-set to include letters as well numbers. One more thing let’s also allow it to be case sensitive, further doubling the key-set. Let’s see what our hypothetical ID could look like:
Fy32-h26H-K02D-xM4r (four characters in four groups total of 16 characters)
Even guessing this number would be nearly impossible, but given enough time anything is possible. Now Let’s add in a second factor of authentication to prove that you aren’t just an eavesdropper who got the ID sequence. Let’s make it that you must have a six digit numeric pin code that must be changed at least once every 3 months:
35-26-65-16 (Yeah its annoying but so is having someone steal your identity).
Okay, let’s take it one step further and incorporate an additional security mechanism that is becoming common place in many security setup a third factor of authentication. Very commonly this is with a smart-phone application that has been setup to be associated with a time based synchronization that will yield a known sequence every n seconds that will be unique to your account. This is an every changing pin that is based on some initial value that is used to produce a pseudo-random sequence use for verification purposes.
Okay so now we have a much stronger identifier, a known password, and a third constantly changing sequence. Are we safe? No, not even close. We are potentially just as vulnerable now as we are with the current SSID schema. Firstly, how would a third party validate your pin and third form of authentication? That presents a problem. The reason that the SSID was so easy was all you needed was to have the user spit out their social and compare it to the account on record, if it matched he must be who he says he is.
We have two major issues, and one minor issue. The two major issues is that the third party may still be storing your sensitive data in an insecure manner. The second being how can that third party validate your sensitive data? The last issue is we have put a lot more “stuff” on the account holder to remember. A longer ID, a pin and having to have some method of third form of authentication, people are going to complain about that!
The third-party should not need to posses the “plain text” or unprotected form of ID. We said earlier that there were two basic reasons why the SSID was used. The first being it is something that most people posses. The second being that it is unique guaranteeing that no two people will have the same IDS and therefore serves as an easy way to uniquely identify a given user. Knowing the plain text SSID may be needed at times but really the third-party really wants an easy user verification mechanism.
I’m not going to tell you that every American in the country has a smart phone, but I will say that many do. Between a smart-phone or computer there is a good bet that most Americans have either a smart-phone or computer. Let’s leverage that assumption in securing our user’s ID. There are banks now that offer a “virtual credit card” which is a pointer to a real credit card but the user has the benefit of never giving the merchant their actual credit card number. Should the consumer wish to terminate their account they can unlink the virtual credit card and immediately prevent the merchant from charging the user’s actual credit card.
Let’s apply this same logic to our ID system. Imagine I call up a company and want to utilize their services. They need to input some information about myself into their system and they ask for my ID number. Instead of me giving them my real number I hop onto to my phone open the “ID” application and click “generate new ID”. The representative on the phone gives me the company’s ID number that uniquely identifies them as a company. I punch that number into the application, enter my pin, and verify the third factor authentication. Now a unique ID has been created just for this organization.
The application let’s me know what type of information the company requests and what level of access as well. I can choose to grant them access, or deny it and hang up the phone. Some companies may only need a verification mechanism. In the future the user would just open his app enter his pin, and third factor validation and give the company representative the ID and a corresponding validation code. This enables the company to unlock the specific ID for verification purposes.
Without the verification code the company has only a unique ID that is only a virtual reference to your ID. You can look at your ID’s activity viewing everytime the company attempts to access your information, what they view and when. At anytime you can revoke the virtual ID and suspend them from accessing your information until you grant that information once again.
Within the ID granted the company may request certain types of information without needing a new verification code. For instance, the company may wish to send you a bill in the mail and shouldn’t need to call you for a verifiication code everytime they want to send you mail to retrieve your address information. This information however will be audited and viewable to you at any time. This sensitive information still will not be stored on the companies servers. They will use the ID and their verification code the request the information from a centralized system when needed. An alternative is some sort of LastPass locally encrypted concept..we can work on this.
Well this was fun, we can brainstorm some more later. Things need to change, the crazy people who like to mess with other people’s lives aren’t going to stop. We need to step and and protect our data.